BitLocker, a critical security feature designed to safeguard data at rest, faces scrutiny following the discovery of a vulnerability that could allow unauthorized access to encrypted data. Known as CVE-2026-45585, or YellowKey, this flaw has raised alarms due to its potential to bypass BitLocker protections, particularly for users of Windows 11 versions 24H2, 25H2, and 26H1, as well as Windows Server 2025.
According to Microsoft, the vulnerability does not compromise BitLocker’s encryption itself; instead, it resides within the recovery environment that supports BitLocker. As reported by Help Net Security, the National Cyber Security Centre (NCSC) of the Netherlands emphasizes that the flaw is not rooted in the cryptographic mechanisms but rather in how the recovery environment operates. The researcher known as Nightmare Eclipse has publicly disclosed the zero-day vulnerability, providing a proof-of-concept that can be exploited with relative ease.
CVE-2026-45585 analysis
The exploitation of CVE-2026-45585 occurs through the Windows Recovery Environment (WinRE), rather than via remote attacks. The Hacker News outlines that an attacker can execute the exploit by placing specially crafted FsTx files on a USB drive or EFI partition, connecting this media to a Windows system with BitLocker enabled, and rebooting into WinRE. By holding down the CTRL key, the attacker can trigger an unrestricted shell, potentially gaining access to the BitLocker-protected volume during the pre-boot recovery sequence.
This vulnerability is not a conventional malware dropper; rather, it represents a malicious setup that takes advantage of trusted pre-boot behavior. The implications are significant, as any affected machine with a USB port or EFI path that can be rebooted may become a target if an attacker gains physical access. The availability of a public proof-of-concept has further lowered the barriers for replication.
From a detection perspective, identifying CVE-2026-45585 poses challenges compared to network-borne vulnerabilities, as the exploit is local and occurs pre-boot. Currently, there are no vendor-published indicators of compromise (IOCs) associated with this vulnerability. Therefore, the most effective method for detection involves a thorough asset review: organizations should identify affected Windows 11 and Windows Server 2025 systems, assess their reliance on TPM-only BitLocker protection, and confirm whether Microsoft’s temporary mitigation has been applied to the WinRE image.
Organizations that utilize BitLocker to secure unattended laptops, mobile workstations, or portable servers are particularly vulnerable to this flaw. The primary risk lies in the potential loss of confidentiality when an attacker can access the recovery workflow before the legitimate user regains control of the device.
CVE-2026-45585 Mitigation
To address CVE-2026-45585, Microsoft has provided two main mitigation strategies. The first involves modifying the mounted WinRE image by removing the autofstx.exe entry from the Session Manager BootExecute REGMULTISZ value. After saving the offline registry changes, administrators must unmount and commit the updated image to reestablish BitLocker trust for WinRE. Microsoft has also released a script to automate this process safely, ensuring that BitLocker trust remains intact.
The second mitigation strategy suggests transitioning devices from TPM-only protection to a TPM+PIN requirement at startup. This adjustment can be implemented on already encrypted systems through PowerShell, the command line, or Control Panel. For systems not yet encrypted, administrators are encouraged to enable additional authentication at startup through Group Policy or Intune and configure a startup PIN with TPM. Researchers have indicated that the first mitigation is effective, as it prevents the FsTx Auto Recovery Utility from launching automatically when WinRE starts, although some concerns about a separate bypass for TPM+PIN have been raised.
FAQ
What is CVE-2026-45585 and how does it work? CVE-2026-45585 is a BitLocker security feature bypass in Windows, also referred to as YellowKey. It exploits trusted behavior in the Windows Recovery Environment, allowing an attacker with physical access to trigger an unrestricted shell and access the encrypted volume during pre-boot recovery.
When was CVE-2026-45585 first discovered? The reports do not specify a private discovery date. However, Help Net Security notes that the zero-day was disclosed about a week prior to Microsoft’s mitigation, which was released on May 20, 2026, with an additional script update noted on May 21, 2026.
What is the impact of CVE-2026-45585 on systems? The primary impact is unauthorized access to BitLocker-protected data. A successful exploit allows someone with physical access to bypass the protections surrounding the encrypted drive, potentially exposing sensitive information.
Can CVE-2026-45585 still affect me in 2026? Yes, systems running the affected Windows 11 and Windows Server 2025 builds may still be vulnerable in 2026 if they have not implemented Microsoft’s mitigation and continue to rely on the vulnerable recovery behavior, especially in environments where physical access is not tightly controlled.
How can I protect myself from CVE-2026-45585? Implement Microsoft’s WinRE mitigation by removing autofstx.exe from the offline BootExecute setting and resealing BitLocker trust, or transition to a TPM+PIN requirement instead of relying solely on TPM-only startup protection. For new deployments, enable additional authentication at startup through policy to ensure BitLocker is not left dependent on the weaker default path.
